Trusted AP policies is a security feature in the controller that is
designed to be used in scenarios where customers have a parallel autonomous AP
network along with the controller. In that scenario, the autonomous AP can be
marked as the trusted AP on the controller, and the user can define policies
for these trusted APs (which should use only WEP or WPA, our own SSID, short
preamble, and so on). If any of these AP fail to meet these policies, the
controller raises an alarm to the network management device (Wireless Control
System) that states a trusted AP violated a configured policy.

Trusted APs are APs that are not part of an organization. However, they
do not cause a security threat to the network. These APs are also called
friendly APs. Several scenarios exist where you might want to configure an AP
as a trusted AP.

For example, you might have different categories of APs in your network
such as:

APs you own that do not run LWAPP (perhaps they run IOS or
VxWorks)

LWAPP APs that employees bring in (with the knowledge of the
administrator)

LWAPP APs used to test the existing network

LWAPP APs that neighbors own

Normally, trusted APs are APs that fall into category
1, which are APs you own that do not run LWAPP. They might be old APs
that run VxWorks or IOS. In order to ensure that these APs do not damage the
network, certain features can be enforced, such as correct SSIDs and
authentication-types. Configure the trusted AP policies on the WLC, and make
sure that the trusted APs meet these policies. If not, you can configure the
controller to take several actions, such as raise an alarm to the network
management device (WCS).

Known APs that belong to the neighbors can be configured as trusted
APs.

If you have APs that run VxWorks or IOS (as in category 1), they will
never join the LWAPP group or do MFP, but you might want to enforce the
policies listed on that page. In such cases, trusted AP policies needs to be
configured on the controller for the APs of interest.

In general, if you know about a rogue AP and identify that it is not a
threat to your network, you can identify that AP as a known trusted AP.

This policy is used to define the encryption type that the trusted AP
should use. You can configure any of these encryption types under Enforced
encryption policy:

None

Open

WEP

WPA/802.11i

The WLC verifies whether the encryption type configured on the trusted
AP matches the encryption type configured on "Enforced encryption
policy" setting. If the trusted AP does not use the designated
encryption type, the WLC raises an alarm to the management system in order to
take appropriate actions.

The radio preamble (sometimes called a header) is a section of data at
the head of a packet that contains information that wireless devices need when
they send and receive packets. Short preambles improve
throughput performance, so they are enabled by default. However, some wireless
devices, such as SpectraLink NetLink phones, require long
preambles. You can configure any of these preamble options under Enforced
preamble policy:

None

Short

Long

The WLC verifies whether the Preamble type configured on the trusted AP
matches the preamble type configured on "Enforced preamble
policy" setting. If the trusted AP does not use the specified preamble
type, the WLC raises an alarm to the management system in order to take
appropriate actions.

This policy is used to define the radio type that the trusted AP should
use. You can configure any of these Radio types under Enforced radio type
policy:

None

802.11b only

802.11a only

802.11b/g only

The WLC verifies whether the radio type configured on the trusted AP
matches the radio type configured on "Enforced radio type
policy" setting. If the trusted APdoes not use the specified radios,
the WLC raises an alarm to the management system in order to take appropriate
actions.

You can configure the controller to validate a trusted APs SSID against
the SSIDs configured on the controller. If the trusted APs SSID matches one of
the controller SSIDs, the controller raises an alarm.

This Expiration Timeout value specifies the number of seconds before
the trusted AP is considered expired and flushed from the WLC entry. You can
specify this timeout value in seconds (120 - 3600 seconds).

Notice the highlighted error messages here. These error messages
indicate that the SSID and the encryption type configured on the trusted AP do
not match the Trusted AP policy setting.

The same alert message can be seen from the WLC GUI. In order to view
this message, go to the WLC GUI main menu, and click Monitor.
In the Most Recent Traps section of the Monitor page, click View
All in order to view all recent alerts on the WLC.

On the Most Recent Traps page, you can identify the controller that
generates the trusted AP policy violation alert message as shown in this
image: